Uganda blocks social media (again), harms human rights

Peter Micek and Deji Olukotun contributed to this post.

Today the government in Uganda blocked social media services in anticipation of the swearing-in ceremony for President Yoweri Museveni that will take place tomorrow. Uganda’s telecommunications regulator, the Uganda Communications Commission (UCC), confirmed the block, citing “national security” as the reason. This is the second time this year that Uganda has carried out an internet shutdown in the election period. It’s part of a deeply troubling trend, and one that we specifically called out in our submission to the United Nations Human Rights Council for Uganda’s Universal Periodic Review.

The telco Airtel Uganda cited the blocking order from the government here:

MTN Uganda also acknowledged the blocking order:

Ugandans expressed their discontent, connecting the shutdown to one that took place in Ethiopia’s Oromia region:

The last shutdown in Uganda took place in February, when the government blocked WhatsApp, Facebook, Twitter, and mobile banking services just as citizens headed to the polls. At the time, we joined a coalition of groups to ask that the government stop the shutdown.Internet shutdowns do not restore order, protect rights, or keep people safe. They also come at a significant financial cost. Our conservative estimate for the last shutdown in Uganda comes in at around USD$25 million lost per day for e-banking services alone. Currently, in this shutdown, it appears that mobile banking services remain online, but there will likely be knock-on economic effects for blocking social media, which is often a key platform for businesses.

We cannot allow shutdowns to become the new norm in Uganda or anywhere else. Human rights are at stake, and research shows that internet shutdowns and state violence go hand in hand.

That is why we launched the #KeepitOn campaign, through which we aim to dismantle the shutdown “machine” — reaching out to everyone from individuals that are affected to the people at companies, within governments, and at international governmental bodies who can work to stop this harmful practice.

We have recorded more than 10 intentional disruptions so far this year, and we don’t want 2016 to be the year that internet shutdowns become commonplace. We call on the African Union and Human Rights Council at the United Nations to condemn internet shutdowns as violations of international law. Further, we ask all telcos in the country, including MTN and Airtel, to push back against the order using every tool at their disposal, whether legal, political, or commercial.

You can learn more at, where we will be drawing attention to campaigns globally and sharing opportunities to take action. If you’re part of an organization that wants to help stop shutdowns in Africa or anywhere else, you can reach out to Meanwhile, we encourage you to stay tuned by following us on Twitter or Facebook, and participate in the conversation using the hashtag #KeepitOn.

This article was originally published on Ephraim’s professional page on Access Now.

Helping African nations protect human rights online: UPR review

Access Now recently submitted evidence on the digital rights records of both South Sudan (PDF) and Uganda (PDF) for the United Nations Human Rights Council Universal Periodic Review (UPR). The Universal Periodic Review is the cooperative process by which the Human Rights Council reviews the human rights records of all 193 U.N. member states.

Our submissions note ways that South Sudan and Uganda fail to comply with obligations under international human rights law to protect and promote free expression, privacy, Net Neutrality, business and human rights, and digital security. We offer specific recommendations, and will push delegates in Geneva to take them up.

Here’s a look at the digital rights landscape in South Sudan and Uganda, and the implications for people at risk of human rights violations in these countries.

Unity in South Sudan

Two years ago, there was only one Sudan. After a referendum, citizens decided to have two separate countries: Sudan and South Sudan. Today, both countries face grave security and human rights threats, online and off.

To the country’s UPR review, Access Now submitted comments pointing out that while some progress has been made, South Sudan has failed to sign or ratify a number of international human rights instruments. South Sudan has yet to take action on the International Covenant on Civil and Political Rights (ICCPR), the International Covenant on Economic, Social and Cultural Rights (ICESCR), and Convention on the Elimination of All Forms of Racial Discrimination (CERD), among other human rights instruments. An inadequate legal framework for the protection of human rights makes it difficult for state actors and corporations to be held accountable for violations.

Our submission emphasizes that as more connections are made, and more citizens come online, these new internet users would benefit from opportunities for education, training, and capacity-building, so they can learn how to exercise their human rights securely and effectively using information and communications technologies.

The South Sudan government has recently taken steps toward peace in its internal conflict, by forming a transitional unity body and resuming operations after months of negotiations between rebel leaders and the president. The U.N. Security Council has given its vote of confidence to the power-sharing agreement that could end the two year-long civil war there. Given this positive development for peace, Access Now would like to further call on the South Sudan government to protect freedom of the media and digital rights as the nation enters this new phase.

For its part, Sudan — the northern of the two countries — underwent its UPR hearings in Geneva last week. Access Now supported our partners at the African Centre for Justice and Peace Studies, the International Federation for Human Rights (FIDH), and the International Refugee Rights Initiative, as well as other Sudanese and African activists, by participating in an online campaign to highlight the state of human rights in Sudan. We tweeted using the hashtags #UPR25 and #Sudan to draw attention to the country’s devastating 2013 internet shutdown, and its deadly crackdown on student protesters in the capital Khartoum. Internet shutdowns violate human rights, and the country should never shut down the internet again.


Access Now submitted comments focused on an internet shutdown on February 18, 2016, an outage affecting people’s ability to use Twitter, Facebook, and other communications platforms. We explained that a growing body of jurisprudence has found that internet shutdowns violate international law. In 2015, various experts from the United Nations Organization for Security and Co-operation in Europe (OSCE), Organization of American States (OAS), and the African Commission on Human and Peoples’ Rights (ACHPR), issued an historic statement declaring that internet “kill switches” can never be justified under international human rights law, even in times of conflict.

Access Now also emphasized that Uganda should stop buying spyware and surveillance technology. Further, the country should reform the following laws to comply with international law: the Press and Journalist Act of 2000, Penal Code, 2002 Anti-Terrorism Act, and the 2011 Computer Misuse Act.

Where do we go from here?

We recommend that South Sudan and Uganda improve their human rights record and treatment of digital rights in several areas. They should:

    1. Commit to enhancing freedom of expression online and preventing violations by state and non-state actors, such as companies;
    2. Commit to refrain from slowing, blocking, or shutting down internet and telecommunications services, particularly during elections and public assemblies;
    3. Publicly disclose any procurement of or contracts to purchase, maintain, or operate surveillance technology;
    4. Enact laws protecting access to information and preventing network discrimination, also known as Net Neutrality; and
    5. Improve cooperation with United Nations and African Union treaty mechanisms and issue standing invitations to U.N. special procedures such as the U.N. special rapporteurs on freedom of expression and privacy.

We recommend that South Sudan in particular commit to acting upon the resolution on democracy in the digital era of October 21, 2015, which took place during the 133rd Assembly of the Inter-Parliamentary Union (IPU). South Sudan was among the 167 national governments that unanimously adopted the resolution. Further, we recommend it sign and ratify core international human rights instruments including the ICCPR, ICESCR, & CERD, and the Optional Protocols thereto; consult international human rights experts to improve Article 24 of the Transitional Constitution; and enact laws protecting privacy and freedom of expression online.

Reviews later this year

The UPR is an important U.N. process aimed at addressing human rights issues all across the globe. It is a rare mechanism through which citizens around the world get to work with governments to improve human rights and hold them accountable to international law.

The Human Rights Council hearings on South Sudan and Uganda’s UPR reviews will take place in October and November 2016. We encourage you to participate in this process by following along and spreading the word. You can follow the discussions online using the Twitter hashtag for the UPR sessions: #UPR.

This article was originally published on Ephraim’s professional page on Access Now.

Kenya’s KICA ruling: a beacon of hope for free expression in Africa

Kenya has had its reputation for protecting free expression tarnished over the past two years, due to its increasingly harsh and arbitrary enforcement of the highly controversial Section 29 of the Kenya Information and Communications Act (KICA). This section of the law has been used to jail journalists and bloggers for their communications. However, a ruling last month by the Kenyan High Court in the Geoffrey Andare v. Attorney General case represents a beacon of hope for free expression in the region.

The KICA Act was amended in 2014, and the amendments made it possible for Section 29 to be misused to attack free expression, something Kenyan authorities seem to have been increasingly willing to do. In 2015, authorities prosecuted seven people; in 2016, they have prosecuted 13.

On April 19th of this year, Judge Mumbi Ngugi struck down Section 29. Unfortunately, in what could be interpreted a reprisal for her courageous ruling in favor of free expression, she was then transferred the very next day to a court in Kericho (upcountry), where she would be responsible for handling less controversial cases.

Now, the Kenyan government has a crucial decision: it can either accept the court’s ruling, and protect Kenyans’ fundamental human right to free expression, or fight it, and further erode Kenya’s reputation as a champion of free expression.

How does Section 29 threaten free expression?

Section 29 of KICA is the provision that has been used to threaten internet users and bloggers with arrests and prosecution. The clause states:

(a) that a person who by means of a licensed telecommunication system sends a message or other matter that is grossly offensive or of an indecent, obscene or menacing character; or (b) sends a message that he knows to be false for the purpose of causing annoyance, inconvenience or needless anxiety to another person; commits an offence and shall be liable on conviction to a fine not exceeding Ksh. 50,000 or to imprisonment for a term not exceeding three months, or both.

This provision is extremely vague, and authorities could therefore use it to prosecute anyone who disagrees with someone in a position of power, including government officials or  members of the private sector and their families. As such it represents a powerful tool for silencing the voices of people who are dissenting from the government or otherwise critiquing those in power. This includes the voices of vulnerable at-risk groups: marginalized minorities, such as women; communities of color; journalists; bloggers; sexual rights activists;  human rights defenders; and others who are not among the powerful elite in Kenya.

Section 29 stood in contravention of international human rights law standards for acceptable limitations on free speech. In the The Sunday Times v The United Kingdom case, the European Court of Human Rights stated that the law must be of “sufficient precision to enable the citizen to regulate his conduct.” This important ruling has been cited at the African Union and African Regional Economic Communities courts, and at various national constitutional courts in Africa and across the world.

In submissions before the court in Geoffrey Andare v. Attorney General, Kenya’s Attorney General (AG) Githu Muigai, and Director of Public Prosecutions (DPP) Keriako Tobiko, argued that Section 29 was aimed at protecting the reputation of others. However, Judge Ngugi rightly rejected this argument, highlighted the fact that there are already laws in place to deal with both libel and defamation.

Kenyan ruling is part of positive trend toward protecting expression

Access Now is heartened by the ruling in Kenya, which lights the way toward increased protections for free expression in the Sub-Saharan Africa region. We see it as part of a growing trend, in line with a December 2014 ruling by the African Court on Human and Peoples’ Rights, which found that imprisonment for defamation violates the right to freedom of expression. The court also condemned the use of criminal laws to restrict free speech in a broad range of circumstances.

Although the African Union ruling relates specifically to criminal defamation, the Kenyan ruling is similar in that Section 29 provisions were being used for the same purpose, to unlawfully curtail free speech. That is why Judge Ngugi struck down Section 29, determining that it violates Article 24 and 33 of Kenya’s Constitution.

The ruling in Kenya is also part of a larger trend, where constitutional courts in democracies in developing countries are protecting fundamental rights. Just last year, India’s Supreme Court struck down Section 66A of the Indian Information Technology Act, a provision similar to Kenya’s Section 29 of KICA.

What now?

As we note above, the Kenyan government must decide to accept the Geoffrey Andare v. Attorney General ruling, or fight it. And it appears, unfortunately, that the Communications Authority of Kenya may be planning to appeal the ruling, even though they were not originally involved in the case.

We call upon the Communications Authority of Kenya and the law officers of the government of Kenya to abandon plans to appeal the ruling and argue for the reinstatement of this unjust and overbearing law.

We also call upon nearby African Union member countries to reform any laws with vague, rights-harming clauses similar to Kenya’s Section 29.

Access Now is closely following the debate in the coming week, and we will remain vigilant and speak out against any attempt to undermine free expression in Kenya.

This article was originally published on Ephraim’s professional page on Access Now.

Digital rights groups ask African Union, U.N. to take action on Uganda social media blackout

Peter Micek and Deji Olukotun contributed to this post.

UPDATE 2/24/2016:  The Uganda Communications Commission stated in a Facebook post on Tuesday that the blocking order comported with the Uganda Communications Act, and wrote “We truly regret the inconvenience all of you might have suffered.” This guarded apology is a thinly veiled admission that the UCC went too far, and marks a step towards the government’s duty to provide a remedy under the U.N. Guiding Principles on Business and Human Rights. We believe President Museveni should apologize for the blocking order and provide effective remedies for affected users, including small business owners impacted by the shutdown of mobile money services. Finally, despite the UCC’s claims, this action did not comport with international law nor with the government of Uganda’s obligations to uphold freedom of expression.

Last week, as the people of Uganda headed to the polls for its presidential election, the government cut off internet services — including Facebook and Twitter — for four days. The reason? MTN Uganda confirmed that the shutdown order, issued by the Uganda Communications Commission, was purportedly to block services “due to a threat to Public Order & Safety.” Other telcos, including Airtel, Smile, Vodafone, and Africel, were also asked to cut off services, and complied.

President Yoweri Museveni, who was seeking re-election, later explained that he had issued the order “because some people use those pathways for telling lies.” A second rationale offered for the shutdown, which included cutting access not only to social media but also mobile money services, was that it would prevent people from offering or taking bribes. Notably, during the voting, opposition candidate Kizza Besigye was confined to house arrest, and President Museveni has now been re-elected to office.

This is an election that observers did not consider free or fair. At Access Now, we are deeply concerned about the shutdown, which directly interfered with citizens’ fundamental right to seek and impart information during the election.

Today, we delivered a joint letter from 23 Ugandan, African, and international organizations to authorities at the African Union and the United Nations, among others, calling for action on the four-day internet shutdown. The letter includes a call for the government to provide redress for those affected by the shutdown; for an investigation of such shutdowns to be conducted; and for the United Nations to pass a resolution declaring that shutdowns are a violation of human rights. You can read it here.

In the the letter, the coalition states:

Research shows that internet shutdowns and state violence go hand in hand. Shutdowns disrupt the free flow of information and create a cover of darkness that allows state repression to occur without scrutiny. Worryingly, Uganda has joined an alarming global trend of government-mandated shutdowns during elections, a practice that many African Union member governments have recently adopted, including:  Burundi, Congo-Brazzaville, Egypt, Sudan, the Central African Republic, Niger, Democratic Republic of Congo.

Internet shutdowns — with governments ordering the suspension or throttling of entire networks, often during elections or public protests — must never be allowed to become the new normal. Justified for public safety purposes, shutdowns instead cut off access to vital information, e-financing, and emergency services, plunging whole societies into fear and destabilizing the internet’s power to support small business livelihoods and drive economic development… Uganda’s shutdown occurred as more than 25 African Union member countries are preparing to conduct presidential, local, general or parliamentary elections.

The letter specifically asks for authorities to:

  • call upon the Ugandan government to provide redress to victims of the internet shutdown, and pledge not to issue similar orders in the future;
  • call on African states to uphold their human rights obligations, and not to take disproportionate responses like issuing shutdown orders, especially during sensitive moments like elections;
  • investigate shutdowns, in their various forms, in order to produce public reports that examine this alarming trend and its impact on human rights, and make recommendations to governments and companies on how to prevent future disruptions;
  • encourage telecommunications and internet services providers to respect human rights and resist unlawful orders to violate user rights, including through public disclosures and transparency reports;
  • encourage the African Commission on People’s and Human Rights, the United Nations Human Rights Council, and the U.N. General Assembly to resolve that internet shutdowns violate freedom of expression per se and without legal justification.

The letter was signed by Access Now, Association for Progressive Communications (APC), African Centre for Democracy and Human Rights Studies (ACDHRS), Article 19 East Africa, Chapter Four Uganda, CIPESA, CIVICUS, Committee to Protect Journalists, DefendDefenders (The East and Horn of Africa Human Rights Defenders Project), Electronic Frontier Foundation, Global Partners Digital, Hivos East Africa, Index on Censorship, ifreedom Uganda, Integrating Livelihoods thru Communication Information Technology (ILICIT Africa), International Commission of Jurists, ISOC Uganda, Kenya, KICTANet, Media Rights Agenda, the African Media Initiative (AMI), Unwanted Witness, Web We Want Foundation, Women of Uganda Network (WOUGNET), and the Zimbabwe Human Rights NGO Forum.

Help us fight internet shutdowns

Internet shutdowns do not restore order, protect rights, or keep people safe. They are a blunt instrument that should never be wielded by a democratic regime that protects human rights. We’ll be stepping up our fight against internet shutdowns in 2016. To stay updated and find out how you can join the fight, follow us on Facebook or Twitter, and subscribe to our newsletter.

This article was originally published on Ephraim’s professional page on Access Now.

Uganda blocks Twitter and Facebook on election day in latest internet shutdown

Deji Olukotun contributed to this post.

The government of Uganda ordered telecommunications companies to block social media on Thursday as the country prepared to vote for national elections. Journalists recorded that Twitter and Facebook were blocked, but circumvention of the block was possible, in some instances, through the use of Virtual Private Networks (VPNs). Leading mobile internet service provider MTN confirmed the order from the government in a Tweet.

The blocking in the country followed an outage earlier this week, confirmed by Access Now, that may have been a test of the telcos’ blocking capability. The United Nations Office of the High Commissioner on Human Rights has since spoken with Ugandan authorities to discuss the human rights impact of their blocking order.

Uganda has clamped down on free expression and privacy in the lead up to this month’s presidential election. The country acquired sophisticated surveillance software at the close of 2015, when the military bought Finfisher’s malware intrusion software, which allows the infection of devices and monitoring by operators of the software. This year the government has also intimidated and attacked journalists, paralyzing journalist Andrew Lwanga from the waist down for covering a street protest in January.

Although MTN publicly announced the blocking order, the company shared the user data of about 10 million subscribers with the ruling party in the run up to the elections. In turn, MTN users received a text message from the National Resistance Movement’s Tuongee Communication Center encouraging them to vote for the sitting president, Yoweri Kaguta Museveni. The Ugandan Election Commission, tasked with overseeing voting on February 16, also banned mobile phones from polling stations. MTN has a complex relationship on the continent, where it faces a nearly $4 billion fine in Nigeria for, ironically, safeguarding the anonymity of its users by not requiring the registration of identification for SIM cards.

Internet shutdowns harm everyone

Internet shutdowns do not restore order, protect rights, or keep people safe. They are a blunt instrument that should never be wielded by a democratic regime that protects human rights. Yet they are on the rise worldwide. In 2015, we recorded nearly 20 shutdowns across the globe. This is a very important opportunity to be vigilant about defending and extending digital rights especially as previous research shows internet Shutdowns and state violence go hand in hand.

Last year, experts at the U.N. issued an historic statement declaring that internet “kill switches” can never be justified under international human rights law, even in times of conflict. And Access Now urged African Union and U.N. leaders to take action on a similar shutdown in Burundi. Whether shutdowns take place in in Egypt, Sudan, the Central African Republic, Niger, Democratic Republic of Congo, Congo-Brazzaville, Burundi, or any other place, shutdowns to quell protests or silence dissent are not just ineffective. They are a clear violation of our fundamental rights.

This article was originally published on Ephraim’s professional page on Access Now.

Telcos find backbone, deny Guinea’s request for users’ data

Peter Micek contributed to this post. 

In contrast to U.S. telcos, African operators push back on rights-violating demands

Three telecommunications companies in the west African nation of Guinea Conakry (formerly French Guinea) just said “no” to demands that they hand over all subscriber and call data.

On January 6th, Guinea’s post and telecommunications regulator, the Autorité de Régulation des Postes et Télécommunications (ARPT), told the companies that it intends to set up a central control center for all voice and data traffic, in order to quantify the volume of calls, tax the telcos, and certify their revenue. The demand, signed by the Director General, says that to create this center, the ARPT needs the telcos to hand over all call detail records and subscriber data for the month of December.

Call detail records show the date, time, duration, sender and receiver, and even location, among other data points, of phone calls and SMS. You may recall that the U.S. government collected millions of call detail records from telcos in its now-shuttered program of mass surveillance under Section 215 of the USA PATRIOT Act. For its part, the U.K. is considering surveillance laws that could have the same impact that the U.S. program did, requiring bulk data retention of all personal data and enabling bulk interception.

Unlike U.S. telcos under PATRIOT, three of Guinea’s biggest operators — Orange Guinee, MTN Guinee, and Cellcom Guinee — jointly pushed back on the request. In a letter on January 19th, they told the government that its request suffered from a “total absence of legal basis,” and violates privacy protections in the Guinean Constitution and the Universal Declaration of Human Rights. Creating the control center would exceed the scope of the Guinean telecoms law, the telcos said.

The request also infringes the African Union Convention on Cyber Security and Personal Data Protection, including Article 13, which mandates that data collection be “not excessive in relation to the purposes for which they are collected and further processed.” It is not necessary for authorities to have access to all call data in order to calculate tax records.

The regulator invited the companies to a meeting on January 21st, which according to our sources did not go well. Representatives of the ARPT stated that they intend to set up the control center with or without the telcos’ assistance. This unilateral demand runs contrary to the approach the government has committed to in many processes, such as its multi-stakeholder approach to internet governance, including the 2005 African Information and Communication Technologies (ICT) Ministers Common Position on Internet Governance.

Additionally, the government has threatened to fine the companies about $640. It’s not clear whether the fine is per day of non-compliance, or per user, in which case the final sum would be much higher. Since MTN Nigeria is currently in court fighting a fine of nearly $4 billion USD, we’re concerned that conservative telecom regulators are learning from one another, levying fines in an effort to restrict expression and control the explosive popularity of mobile communications.

Pushback – a corporate duty across the globe

The right to privacy, established under international and domestic law, prevents unnecessary and disproportionate invasions of privacy. The right also protects vulnerable groups from the chilling effects and possible retaliation that they may face for voicing unpopular opinions, or associating with oppressed or dissident groups. We are glad to see telcos standing up to the Guinean government’s request, which would violate human rights by arbitrarily and unlawfully infringing the privacy of all Guinean mobile phone users.

Under the U.N. Guiding Principles on Business & Human Rights, corporations have a duty to avoid contributing to potential adverse human rights impacts in their operations. Courts increasingly recognize that this duty obligates companies to stand up for their customers’ rights, a norm that is becoming customary international law.

When asked to help governments violate human rights, telcos — and other tech and telecom companies — have many “pushback” tools at their disposal. The Access Now Telco Action Plan has guidance for preventing and mitigating involvement in human rights abuses. We are happy to say that in this case, the telcos in Guinea followed many of our recommendations:

  • insisting government requests are consistent with international human rights law and standards, and rejecting those that fall short;
  • transparently reaching out to civil society and other external stakeholders to raise alerts about possible rights restrictions;
  • contacting peer companies in the region to engage in dialogue and advocacy as needed; and
  • documenting and publishing responses to government requests.

We support these telcos as they continue to push back and stand up for user privacy, and request that they transparently use all legal, diplomatic, and business tools at their disposal.

We also call on the Guinean government to withdraw its request for user data, and to strictly scrutinize its plan to create a central control center, for consistency with domestic and international law and norms, including the African Declaration on Internet Rights and Freedoms.

Centralized databases or choke points for telecommunications data increase the risks of breach and misuse of sensitive user data, and put all users at risk of unlawful surveillance, especially when governments obtain direct access to telco networks and data. Whether or not the central control center is legal under Guinean law, we guarantee it will not encourage innovation or the free flow of information in the country.

Whether in Guinea, the U.S., or the U.K., governments do not have the right to demand blanket handover of user data, and it’s in everyone’s interest — from telcos to human rights defenders — to push back the way Orange, MTN, and Cellcom have done.

This article was originally published on Ephraim’s professional page on Access Now.

South Africa draft cybersecurity and cybercrime bill misses the mark

Drew Mitnick contributed to this post. 


The South African government has closed a period of consultation on a draft cybersecurity and cybercrime bill that, as written, undermines the rights to privacy, lacks transparency, and chills cybersecurity research and online expression.

Access Now provided written recommendations to the South African Department of Justice and Constitutional Development on how to fix the draft to protect human rights and digital security. While increasing security online is critical to protecting internet users in South Africa, lawmakers should consider making changes to this draft so that vague language and expansive new government powers do not threaten fundamental rights.

The consultation period ended over a year after the African Union (AU) approved the African Union Convention on Cyber Security and Personal Data Protection at the 23rd African Union Summit. We congratulated the African Union on its effort to ensure digital security, but we noted that countries should recognize the flaws in the convention and implement digital security laws in an open, consultative, and multistakeholder way. Previously, we highlighted how some domestic legislation poses emerging threats to digital rights in Africa.

New crimes for unlawful activity online

 The draft Cybercrimes and Cybersecurity Bill creates new structures for government management of cybersecurity and cybercrimes. It does so in part by creating a series of new crimes for unlawful activity online. The new restrictions pose a risk to freedom of expression through vague language that risks chilling cybersecurity research and other socially desirable activity, such as journalism and whistleblowing. Journalists and whistleblowers already have limited access to information in many African nations, which lack freedom of information laws. In the recent past, security research has already protected South African drivers from the release of personal information and has protected South Africans from the 2013 vulnerability on the  City of Johannesburg’s online billing system website.

Fails to provide adequate privacy protections

The bill creates a new standard for searching or seizing data. The standard, however, fails to provide adequate privacy protections. We urge South Africa to follow the Universal Implementation Guide for the International Principles on the Application of Human Rights to Communications Data to bring surveillance law in line with international human rights standards. The bill also compels service providers to report cybercrime offenses to the government while preserving related data. Such mandated reporting can effectively serve as an outsourcing of communications surveillance to internet intermediaries that are frequently ill-equipped to protect user privacy.

Limits transparency on government requests for data

The bill also limits law enforcement and service providers’ ability to report on government requests for data. It does so by prohibiting the disclosure of information obtained in enforcing the bill. Service providers’ business models depend on gaining the trust of their customers, and barring companies from disclosure interferes with their ability to be transparent and build user trust. Further, reporting on government requests is critical to the public discussion about the proper role of government in providing security while protecting rights.

Our recommendations

In response to these concerns, we made the following recommendations:

1.) do not permit the issuance of a warrant for communication surveillance unless the request satisfies the standards of necessity and proportionality;

 2.) do not include a mandate that electronic communications service providers report incidents to the National Cybercrime Centre. Participation should instead be optional;

 3.) clarify that law enforcement and service providers have the authority to publish records of requests for communications surveillance; and

4.) protect the work of security researchers, whistleblowers, and journalists by specifically excepting those activities undertaken in the public interest from prosecution under unlawful access and related crimes.

Improving digital security in South Africa entails increasing the internet’s viability and usefulness as a platform for communications, and as a driver of commerce, education, health, and development more generally. Security measures are an integral part of the effort to expand global access to information and communications technologies. However, the provisions in the draft law risk these goals.

You can read the full submission (PDF). Access Now will continue to engage with South Africa and countries across the continent to ensure that laws designed to protect users from cybersecurity threats do not undermine their rights.

This article was originally published on Ephraim’s professional page on Access Now.

How are the African nations of Mauritania and Rwanda doing when it comes to human rights online?

Right now the United Nations Human Rights Council is holding its 23rd Universal Periodic Review (UPR) working group session (November 2nd-13th, 2015). The Universal Periodic Review is the cooperative process by which the Human Rights Council reviews the human rights records of all 193 U.N. member states.

Here’s a look at the digital rights landscape in Mauritania and Rwanda, and the implications for people at risk of human rights violations in these countries.

Mauritania – domestic and international human rights obligations

Mauritania has signed on to various international human rights instruments, including the International Covenant on Civil and Political Rights (ICCPR), the Convention against Torture (CAT), the Convention against Enforced Disappearance (ICCPED), and the Optional Protocol to the CAT (OPCAT).

Article 10 of Mauritania’s constitution (PDF) guarantees to all citizens the freedom of expression, assembly, and association. However, according to the UPR, these rights are being violated.

Violation of digital rights in Mauritania

There has been systematic disregard of digital rights in Mauritania. These include:

  • Violation of access to information/ freedom of expression

June 13–21, 2011: The Emirati government applied pressure on an Emirati company to block the website of a Mauritanian newspaper El Badil Al Thalith. This censorship took place after the newspaper published articles criticising Arab leaders, including the United Arab Emirates government.

  • Violation of freedom of expression

August 7, 2013: Security forces arrested Mauritanian blogger Babbah Weld Abidine, the editor of the Lebjawi News blog, after he made an inquiry at the Public Prosecution office about a rape case in which the victim’s relatives accused the prosecutor’s office of releasing the rapist without charges.

December 2014: A blogger, Mr Cheikh Ould Mkheitir, was sentenced to death for apostasy. This was after he expressed his opinions via social media, criticising the inequalities in Mauritanian society and its caste system and challenging its conformity with Islam.

December 2014: An independent journalist, Hanevy Ould Dehah, reported receiving unspecific threats (PDF). He is the founder and manager of a leading news website, which publishes reports on corruption in the country. Subsequently, in January 2015, a group of unidentified persons physically assaulted (PDF) him on his way home. In 2010, after being sentenced to a two year prison term and jailed for eight months, he was freed under a presidential pardon issued in honor of Mawlid (the Prophet Mohammed’s birthday).

Rwanda – domestic and international human rights obligations

Rwanda has signed various international human rights instruments, including the ICCPR and CAT, among others.

Under Rwanda’s constitution (PDF), all citizens are guaranteed the right to privacy and freedom of expression. Other laws in Rwanda that are relevant to digital rights include:

  • Article 281, 285, 286 and 287 of Rwanda’s penal code (PDF), relevant to the right to privacy
  • Article 4, Law No 03/2013 of 08/02/2013 regulating access to information, relevant to the right to free expression.

To its credit, Rwanda’s government has embarked on ambitious programs to bring faster internet to a largely rural nation. However, it is notable that Rwanda lacks a specific data protection law. In 2013, legislators drafted a bill on data protection, but Rwandese citizens criticized the bill because there were broad exceptions to protections for personal data, justified on the grounds of protecting national sovereignty, national security and public policy.

Violation of digital rights in Rwanda

Despite the protections in the law in Rwanda, there have been reported incidents of digital rights being violated. These include:

  • Violation of access to information/ freedom of expression

In 2011: The government banned (PDF) the website of the independent newspaper Umuvugizi, citing allegations of publishing “divisive language.” Freedom House researchers also reported that some Internet Service Providers (ISPs) carried out a block (PDF) of a few opposition sites, although they remained available online through other service providers.

In late 2014: the government added (PDF) the BBC’s website to the list of websites blocked in Rwanda as part of its crackdown on those broadcasting the documentary, Rwanda, The Untold Story. The program reported on allegations that the number of Hutus who died during the 1994 Rwanda genocide was much higher than officially recognized.

 In May 2015: According to a study conducted in early 2015, there were instances when the websites of the following independent news outlets and opposition blogs could not be accessed within Rwanda: Inyenyeri News, Veritas Info, The Rwandan, Leprophete, and Rwanda Democracy Watch.

  • Violation of privacy

In July 2015: Evidence in email leaked from Hacking Team, the Italian surveillance firm, shows that in 2012, the Rwandan government may have attempted to purchase the company’s sophisticated spyware, known as Remote Control System (RCS).

Where do we go from here?

Civil society organizations point out that both Mauritania and Rwanda have made significant improvements in ensuring compliance with recommendations from their previous Universal Periodic Review. This is the second review for both Mauritania and Rwanda, last reviewed in November 2010 and January 2011 respectively, and they now have an opportunity to:

  • Commit to acting upon the resolution of October 21, 2015, which took place during the 133rd Assembly of the Inter-Parliamentary Union (IPU). Mauritania and Rwanda were among the 167 national governments that unanimously adopted the resolution on democracy in the digital era;
  • Commit to enhancing freedom of expression online and preventing violations by state and non-state actors, such as companies;
  • Cooperate more fully with United Nations and African Union treaty mechanisms and the work of special procedures such as those carried out by the U.N. special rapporteurs on freedom of expression and privacy; and
  • Enact laws guaranteeing access to information and preventing net discrimination.

The UPR is an important U.N. process aimed at addressing human rights issues all across the globe. It is a rare mechanism through which citizens around the world get to work with governments to improve human rights and hold them accountable to international law.

We encourage you to participate in this process by following along and spreading the word. You can follow the discussions online using the Twitter hashtags for the 23rd UPR session: #UPR and #UPR23

This article was originally published on Ephraim’s professional page on Access Now.

U.S. eases sanctions on tech exports to Sudan


This week the U.S. government issued a General License to provide internet users in Sudan with easier access to the web and a wide range of software, hardware, and services “incident to personal communications.” U.S. sanctions against Sudan have been in place since 1997, and previously made it illegal for U.S. companies or individuals to export laptops, cell phones, or modems to Sudan. Access applauds the move, which follows years of advocacy by civil society groups in the U.S. and Sudan.

For years, the sanctions made it difficult for Sudanese users to access the internet or exercise their human right to freedom of expression online. Access had earlier joined other groups in pressuring U.S. authorities on sanctions in Sudan in 2013–and we’re grateful to see results.

We hope the General License and the lifting of these sanctions will encourage the U.S. government to consider the impact of future sanctions on the ability of users at risk everywhere to access the internet.

General Licenses
As a result of civil society pressure, the Department of Treasury and the Department of Commerce in recent years have carved out exceptions for internet tools and services for “personal communications technology” and consumer communications devices. Access has long supported such authorizations, including those approved by U.S. authorities in Iran in 2013 and Cuba in 2015.

As we highlighted in 2013: “As the struggle for human rights increasingly moves online, access to personal communications technologies is proving critical to the realization of fundamental freedoms. But users in Syria, Cuba, Sudan, North Korea, and up until recently, Iran, have had to surmount not only their own government’s restrictive policies, but U.S. sanctions too.”

U.S. sanctions on the export of technology to Sudan have impeded access to a long list of important tools, including anti-virus software, online app stores, proxy tools, and any fee-based services used for personal communications, including web hosting, virtual private networks (VPNs), and other tools critical for the exercise of human rights online.

This General License is especially timely, as on Monday, the Sudanese regime had begun imposing increasingly restrictive media policies by seizing the print runs of 14 different newspapers. Technology enables free expression on an unprecedented scale, especially in repressive environments. That’s why Access also approached Sudanese telcos to protest an internet shutdown in 2013.

Companies need to honor the General License
Lifting sanctions through a General License is only the first step. Companies must now take care to implement the new authorizations by allowing users in those areas to download, buy, or otherwise access their products and services. In short, companies must not “over-comply” with previous sanctions by continuing to ban their use, as Access noted last year.

Turning towards Crimea
Meanwhile, last week Access joined other rights groups in a letter calling for OFAC to issue a General License that would protect internet users in Crimea. Like in Sudan, sanctions issued in December 2014 have impacted the ability of people in Crimea to access the global internet.

Meanwhile, we applaud U.S. authorities for taking this crucial step toward helping the people of Sudan realize their fundamental rights.

The full text of the Sudan General License is available here.

photo credit: ITU

This article was originally published on Ephraim’s professional page on Access Now.

Emerging threats in cybersecurity and data protection legislation in African Union countries

In January 2015, heads of state met at the 24th African Union Summit to discuss the “African Union Agenda 2063” with the goal of enabling “a continent on equal footing with the rest of the world as an information society.” The summit, which is attended by 54 African governments, occurred at a critical time for cyber security after the AU approved the African Union Convention on Cyber Security and Personal Data Protection in June. While Access applauds the human rights protections enshrined in the convention, we are deeply troubled by draft legislation that has emerged across the continent that tramples rights in the name of implementing the convention.

The Convention was originally scheduled to pass in January 2014, but was delayed for modifications after protests by the private sector, civil society organizations, and privacy experts—all of whom had very little involvement in the drafting process. But a number of countries promulgated harmful new cybersecurity legislation after it was improved in June.

As Access noted in analyzing both versions of the Convention, the Convention has some positive provisions but still needs strengthening. It requires states to consider human rights in implementing cyber security legislation, but it also supports greater government control of private user data. For example, the Convention permits governments to process private data when “in the  public interest,” a confusingly vague standard.

The Convention has not yet been ratified by any AU countries, a process which requires the executive or the legislature to deposit instruments of ratification with the AU secretariat in Addis Ababa, Ethiopia. However, that hasn’t stopped several countries from racing ahead with rushed, and potentially harmful, legislation. We have tracked proposed cyber and data protection laws in Kenya, Madagascar, Mauritania, Morocco, Tanzania, Tunisia, and Uganda. Several of the domestic reform bills fail to provide basic protections for user data. Worse yet, other bills enable the government to violate the rights of privacy, expression, and assembly.

Before countries further codify harmful laws, Access urges them to first ratify the Convention. Once they have done so, they should carefully implement the Convention’s framework with legislation that respects human rights. These domestic reform efforts should be carried out in open, consultative, multi-stakeholder processes with input from civil society organizations and subject-matter experts.


Much of Africa is currently considering similar bills as they look to fulfill the aims of the AU Convention. The featured countries are in fact just a small sample of the bills being considered—from Mauritania, to Botswana, to Uganda, 2015 will bring many exciting challenges and opportunities for digital rights on the Continent. But lawmakers should not put the cart before the horse, and ratify the African Convention before moving ahead too rashly.

This article was originally published on Ephraim’s professional page on Access Now.

Legal battle in Kenya set to determine country’s surveillance future

Access Now Policy Team and Drew Mitnick contributed to this post. 

The High Court of Kenya has temporarily suspended the implementation of eight clauses of the Security Laws (Amendment) Act of 2014, which restricts the exercise of human rights in Kenya. In a challenge brought by Coalition for Reforms and Democracy and the Kenya National Commission on Human Rights, the High Court held on January 2 that portions of the law, which passed in December 2014, may “infringe upon the freedoms and fundamental rights.” These provisions will now be suspended pending a full trial. Access applauds the High Court’s decision in suspending these parts of the law and urges the Court to thoroughly consider the entire law’s human rights impact in its ultimate assessment.

The High Court’s decision may come as no surprise, given that members of Parliament physically ripped apart the bill during deliberations and protesters demonstrated in the streets during the vote. The suspension by the court signals an important recognition of the bill’s deficiencies, especially given the Court’s duty to uphold the Bill of Rights against violations or infringements. The High Court cited potential conflicts between the law and Kenya’s Constitution as well as international human rights obligations. In particular, the law threatens the right to privacy and the freedom of expression and freedom of assembly.

Amongst the suspended provisions are two clauses that Access identified as particularly pernicious. Article 56, now known as the Special Operations provision (previously “Covert Operations”) granted the National Intelligence Service broad authority to conduct warrantless searches. As we noted, “this national security provision would be nearly limitless and flies in the face of international human rights law.” The High Court also suspended changes to the Prevention of Terrorism Act that would make it illegal to issue statements, such as Tweets or Facebook Posts, “likely to be understood” as encouraging terrorism, a vague and easily-abused standard.

Despite the opposition to the law, Kenyan government officials plan to fight for immediate authority under the suspended provisions. Mere days after the suspension, Kenya’s Attorney General reportedly asked the Court of Appeal on January 6 to overturn the High Court’s decision. We now urge the Court of Appeal to reject the Attorney General’s motion and for the High Court to fully consider the human rights impact of these provisions and the law as a whole when the case comes up for review. As the Court noted, anti-terrorism laws must be effective, but they also “must pass Constitutional and legal muster.”

This article was originally published on Ephraim’s professional page on Access Now.

Ignoring Protests, Kenya Parliament Approves Dangerous National Security Law

The parliament in Kenya approved a dangerous new national security law yesterday. The vote was first interrupted by protests outside the venue, and the debate became so contentious that parliament had to be stalled for 30 minutes after elected representatives tore up drafts of the bill and engaged in a physical fight. Rights groups including Article 19, Kenya National Human Rights Commission, and Commission on Implementation of the Constitution plan to appeal the new law at the High Court, a court of first instance which can rule whether the new law conflicts with the Constitution.

As Access explained in our earlier call for parliament to reject the legislation, the law not only affects privacy rights, it can harm freedom of expression:

The 90-page Security Bill would amend a number of Kenyan laws. One of the most noteworthy provisions is Article 66 on Covert Operations, which would permit extrajudicial surveillance. If enacted, the Director-General of the National Intelligence Service could order a “covert operation,” without court approval or review to enter any place, or to search or seize any record or communication. In fact, the bill would grant broad authority to “do anything considered necessary to preserve national security.”

This national security provision would be nearly limitless and flies in the face of international human rights law. Each act under the covert operation provision would remain valid for 180 days unless extended by the Director-General. There are no provisions for public accountability or oversight, the language would replace the existing section of the National Intelligence Service Act, which currently requires government agents to get a warrant from a judge of Kenya’s High Court when there is reasonable grounds to investigate terrorism.

This is a setback for the largest economy in East Africa, which is increasingly becoming a major technology hub. We will closely follow the debate in the coming weeks.

This article was originally published on Ephraim’s professional page on Access Now.